Refactor key management (#3296)

* Add Call type to extensible transactions.

Cleanup some naming

* Merge Resource and BlockExhausted into just Exhausted

* Fix

* Another fix

* Call

* Some fixes

* Fix srml tests.

* Fix all tests.

* Refactor crypto so each application of it has its own type.

* Introduce new AuthorityProvider API into Aura

This will eventually allow for dynamic determination of authority
keys and avoid having to set them directly on CLI.

* Introduce authority determinator for Babe.

Experiment with modular consensus API.

* Work in progress to introduce KeyTypeId and avoid polluting API
with validator IDs

* Finish up drafting imonline

* Rework offchain workers API.

* Rework API implementation.

* Make it compile for wasm, simplify app_crypto.

* Fix compilation of im-online.

* Fix compilation of im-online.

* Fix more compilation errors.

* Make it compile.

* Fixing tests.

* Rewrite `keystore`

* Fix session tests

* Bring back `TryFrom`'s'

* Fix `srml-grandpa`

* Fix `srml-aura`

* Fix consensus babe

* More fixes

* Make service generate keys from dev_seed

* Build fixes

* Remove offchain tests

* More fixes and cleanups

* Fixes finality grandpa

* Fix `consensus-aura`

* Fix cli

* Fix `node-cli`

* Fix chain_spec builder

* Fix doc tests

* Add authority getter for grandpa.

* Test fix

* Fixes

* Make keystore accessible from the runtime

* Move app crypto to its own crate

* Update `Cargo.lock`

* Make the crypto stuff usable from the runtime

* Adds some runtime crypto tests

* Use last finalized block for grandpa authority

* Fix warning

* Adds `SessionKeys` runtime api

* Remove `FinalityPair` and `ConsensusPair`

* Minor governance tweaks to get it inline with docs.

* Make the governance be up to date with the docs.

* Build fixes.

* Generate the inital session keys

* Failing keystore is a hard error

* Make babe work again

* Fix grandpa

* Fix tests

* Disable `keystore` in consensus critical stuff

* Build fix.

* ImOnline supports multiple authorities at once.

* Update core/application-crypto/src/ed25519.rs

* Merge branch 'master' into gav-in-progress

* Remove unneeded code for now.

* Some `session` testing

* Support querying the public keys

* Cleanup offchain

* Remove warnings

* More cleanup

* Apply suggestions from code review

Co-Authored-By: Benjamin Kampmann <ben.kampmann@googlemail.com>

* More cleanups

* JSONRPC API for setting keys.

Also, rename traits::KeyStore* -> traits::BareCryptoStore*

* Bad merge

* Fix integration tests

* Fix test build

* Test fix

* Fixes

* Warnings

* Another warning

* Bump version.

substrate/core/application-crypto/src/ed25519.rs

@@ -0,0 +1,75 @@
+// Copyright 2019 Parity Technologies (UK) Ltd.
+// This file is part of Substrate.
+
+// Substrate is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// Substrate is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with Substrate.  If not, see <http://www.gnu.org/licenses/>.
+
+//! Ed25519 crypto types.
+
+use crate::{RuntimePublic, KeyTypeId};
+
+pub use primitives::ed25519::*;
+
+mod app {
+	use crate::key_types::ED25519;
+	crate::app_crypto!(super, ED25519);
+}
+
+pub use app::Public as AppPublic;
+pub use app::Signature as AppSignature;
+#[cfg(feature="std")]
+pub use app::Pair as AppPair;
+
+impl RuntimePublic for Public {
+	type Signature = Signature;
+
+	fn all(key_type: KeyTypeId) -> crate::Vec<Self> {
+		rio::ed25519_public_keys(key_type)
+	}
+
+	fn generate_pair(key_type: KeyTypeId, seed: Option<&str>) -> Self {
+		rio::ed25519_generate(key_type, seed)
+	}
+
+	fn sign<M: AsRef<[u8]>>(&self, key_type: KeyTypeId, msg: &M) -> Option<Self::Signature> {
+		rio::ed25519_sign(key_type, self, msg)
+	}
+
+	fn verify<M: AsRef<[u8]>>(&self, msg: &M, signature: &Self::Signature) -> bool {
+		rio::ed25519_verify(&signature, msg.as_ref(), self)
+	}
+}
+
+#[cfg(test)]
+mod tests {
+	use sr_primitives::{generic::BlockId, traits::ProvideRuntimeApi};
+	use primitives::{testing::KeyStore, crypto::Pair, traits::BareCryptoStore as _};
+	use test_client::{
+		TestClientBuilder, DefaultTestClientBuilderExt, TestClientBuilderExt,
+		runtime::{TestAPI, app_crypto::ed25519::{AppPair, AppPublic}},
+	};
+
+	#[test]
+	fn ed25519_works_in_runtime() {
+		let keystore = KeyStore::new();
+		let test_client = TestClientBuilder::new().set_keystore(keystore.clone()).build();
+		let (signature, public) = test_client.runtime_api()
+			.test_ed25519_crypto(&BlockId::Number(0))
+			.expect("Tests `ed25519` crypto.");
+
+		let key_pair = keystore.read().ed25519_key_pair(crate::key_types::ED25519, &public.as_ref())
+			.expect("There should be at a `ed25519` key in the keystore for the given public key.");
+
+		assert!(AppPair::verify(&signature, "ed25519", &AppPublic::from(key_pair.public())));
+	}
+}

substrate/core/application-crypto/src/lib.rs

@@ -0,0 +1,320 @@
+// Copyright 2019 Parity Technologies (UK) Ltd.
+// This file is part of Substrate.
+
+// Substrate is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// Substrate is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with Substrate.  If not, see <http://www.gnu.org/licenses/>.
+
+//! Traits and macros for constructing application specific strongly typed crypto wrappers.
+
+#![warn(missing_docs)]
+
+#![cfg_attr(not(feature = "std"), no_std)]
+
+#[doc(hidden)]
+pub use primitives::{self, crypto::{CryptoType, Public, Derive, IsWrappedBy, Wraps}};
+#[doc(hidden)]
+#[cfg(feature = "std")]
+pub use primitives::crypto::{SecretStringError, DeriveJunction, Ss58Codec, Pair};
+pub use primitives::{crypto::{KeyTypeId, key_types}};
+
+#[doc(hidden)]
+pub use codec;
+#[doc(hidden)]
+#[cfg(feature = "std")]
+pub use serde;
+#[doc(hidden)]
+pub use rstd::{ops::Deref, vec::Vec};
+
+pub mod ed25519;
+pub mod sr25519;
+mod traits;
+
+pub use traits::*;
+
+/// Declares Public, Pair, Signature types which are functionally equivalent to `$pair`, but are new
+/// Application-specific types whose identifier is `$key_type`.
+///
+/// ```rust
+///# use substrate_application_crypto::{app_crypto, wrap, ed25519, KeyTypeId};
+/// // Declare a new set of crypto types using Ed25519 logic that identifies as `KeyTypeId`
+/// // of value `b"fuba"`.
+/// app_crypto!(ed25519, KeyTypeId(*b"_uba"));
+/// ```
+#[macro_export]
+macro_rules! app_crypto {
+	($module:ident, $key_type:expr) => {
+		#[cfg(feature="std")]
+		$crate::app_crypto!($module::Pair, $module::Public, $module::Signature, $key_type);
+		#[cfg(not(feature="std"))]
+		$crate::app_crypto!($module::Public, $module::Signature, $key_type);
+	};
+	($pair:ty, $public:ty, $sig:ty, $key_type:expr) => {
+		$crate::app_crypto!($public, $sig, $key_type);
+
+		$crate::wrap!{
+			/// A generic `AppPublic` wrapper type over $pair crypto; this has no specific App.
+			#[derive(Clone)]
+			pub struct Pair($pair);
+		}
+
+		impl $crate::CryptoType for Pair {
+			type Pair = Pair;
+		}
+
+		#[cfg(feature = "std")]
+		impl $crate::Pair for Pair {
+			type Public = Public;
+			type Seed = <$pair as $crate::Pair>::Seed;
+			type Signature = Signature;
+			type DeriveError = <$pair as $crate::Pair>::DeriveError;
+			fn generate_with_phrase(password: Option<&str>) -> (Self, String, Self::Seed) {
+				let r = <$pair>::generate_with_phrase(password);
+				(Self(r.0), r.1, r.2)
+			}
+			fn from_phrase(phrase: &str, password: Option<&str>)
+				-> Result<(Self, Self::Seed), $crate::SecretStringError>
+			{
+				<$pair>::from_phrase(phrase, password).map(|r| (Self(r.0), r.1))
+			}
+			fn derive<
+				Iter: Iterator<Item=$crate::DeriveJunction>
+			>(&self, path: Iter) -> Result<Self, Self::DeriveError> {
+				self.0.derive(path).map(Self)
+			}
+			fn from_seed(seed: &Self::Seed) -> Self { Self(<$pair>::from_seed(seed)) }
+			fn from_seed_slice(seed: &[u8]) -> Result<Self, $crate::SecretStringError> {
+				<$pair>::from_seed_slice(seed).map(Self)
+			}
+			fn from_standard_components<
+				I: Iterator<Item=$crate::DeriveJunction>
+			>(
+				seed: &str,
+				password: Option<&str>,
+				path: I,
+			) -> Result<Self, $crate::SecretStringError> {
+				<$pair>::from_standard_components::<I>(seed, password, path).map(Self)
+			}
+			fn sign(&self, msg: &[u8]) -> Self::Signature {
+				Signature(self.0.sign(msg))
+			}
+			fn verify<M: AsRef<[u8]>>(
+				sig: &Self::Signature,
+				message: M,
+				pubkey: &Self::Public,
+			) -> bool {
+				<$pair>::verify(&sig.0, message, pubkey.as_ref())
+			}
+			fn verify_weak<P: AsRef<[u8]>, M: AsRef<[u8]>>(
+				sig: &[u8],
+				message: M,
+				pubkey: P,
+			) -> bool {
+				<$pair>::verify_weak(sig, message, pubkey)
+			}
+			fn public(&self) -> Self::Public { Public(self.0.public()) }
+			fn to_raw_vec(&self) -> Vec<u8> { self.0.to_raw_vec() }
+		}
+		impl $crate::AppKey for Pair {
+			type UntypedGeneric = $pair;
+			type Public = Public;
+			type Pair = Pair;
+			type Signature = Signature;
+			const ID: $crate::KeyTypeId = $key_type;
+		}
+		impl $crate::AppPair for Pair {
+			type Generic = $pair;
+		}
+	};
+	($public:ty, $sig:ty, $key_type:expr) => {
+		$crate::wrap!{
+			/// A generic `AppPublic` wrapper type over $public crypto; this has no specific App.
+			#[derive(
+				Clone, Default, Eq, PartialEq, Ord, PartialOrd, $crate::codec::Encode,
+				$crate::codec::Decode,
+			)]
+			#[cfg_attr(feature = "std", derive(Debug, Hash))]
+			pub struct Public($public);
+		}
+
+		impl $crate::Derive for Public {
+			#[cfg(feature = "std")]
+			fn derive<Iter: Iterator<Item=$crate::DeriveJunction>>(&self,
+				path: Iter
+			) -> Option<Self> {
+				self.0.derive(path).map(Self)
+			}
+		}
+
+		#[cfg(feature = "std")]
+		impl std::fmt::Display for Public {
+			fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+				use $crate::Ss58Codec;
+				write!(f, "{}", self.0.to_ss58check())
+			}
+		}
+		#[cfg(feature = "std")]
+		impl $crate::serde::Serialize for Public {
+			fn serialize<S>(&self, serializer: S) -> std::result::Result<S::Ok, S::Error> where
+				S: $crate::serde::Serializer
+			{
+				use $crate::Ss58Codec;
+				serializer.serialize_str(&self.to_ss58check())
+			}
+		}
+		#[cfg(feature = "std")]
+		impl<'de> $crate::serde::Deserialize<'de> for Public {
+			fn deserialize<D>(deserializer: D) -> std::result::Result<Self, D::Error> where
+				D: $crate::serde::Deserializer<'de>
+			{
+				use $crate::Ss58Codec;
+				Public::from_ss58check(&String::deserialize(deserializer)?)
+					.map_err(|e| $crate::serde::de::Error::custom(format!("{:?}", e)))
+			}
+		}
+
+		impl AsRef<[u8]> for Public {
+			fn as_ref(&self) -> &[u8] { self.0.as_ref() }
+		}
+
+		impl AsMut<[u8]> for Public {
+			fn as_mut(&mut self) -> &mut [u8] { self.0.as_mut() }
+		}
+
+		impl $crate::CryptoType for Public {
+			#[cfg(feature="std")]
+			type Pair = Pair;
+		}
+
+		impl $crate::Public for Public {
+			fn from_slice(x: &[u8]) -> Self { Self(<$public>::from_slice(x)) }
+		}
+
+		impl $crate::AppKey for Public {
+			type UntypedGeneric = $public;
+			type Public = Public;
+			#[cfg(feature="std")]
+			type Pair = Pair;
+			type Signature = Signature;
+			const ID: $crate::KeyTypeId = $key_type;
+		}
+
+		impl $crate::AppPublic for Public {
+			type Generic = $public;
+		}
+
+		impl $crate::RuntimeAppPublic for Public where $public: $crate::RuntimePublic<Signature=$sig> {
+			type Signature = Signature;
+
+			fn all() -> $crate::Vec<Self> {
+				<$public as $crate::RuntimePublic>::all($key_type).into_iter().map(Self).collect()
+			}
+
+			fn generate_pair(seed: Option<&str>) -> Self {
+				Self(<$public as $crate::RuntimePublic>::generate_pair($key_type, seed))
+			}
+
+			fn sign<M: AsRef<[u8]>>(&self, msg: &M) -> Option<Self::Signature> {
+				<$public as $crate::RuntimePublic>::sign(
+					self.as_ref(),
+					$key_type,
+					msg,
+				).map(Signature)
+			}
+
+			fn verify<M: AsRef<[u8]>>(&self, msg: &M, signature: &Self::Signature) -> bool {
+				<$public as $crate::RuntimePublic>::verify(self.as_ref(), msg, &signature.as_ref())
+			}
+		}
+
+		$crate::wrap! {
+			/// A generic `AppPublic` wrapper type over $public crypto; this has no specific App.
+			#[derive(Clone, Default, Eq, PartialEq, $crate::codec::Encode, $crate::codec::Decode)]
+			#[cfg_attr(feature = "std", derive(Debug, Hash))]
+			pub struct Signature($sig);
+		}
+
+		impl $crate::Deref for Signature {
+			type Target = [u8];
+
+			fn deref(&self) -> &Self::Target { self.0.as_ref() }
+		}
+
+		impl AsRef<[u8]> for Signature {
+			fn as_ref(&self) -> &[u8] { self.0.as_ref() }
+		}
+
+		impl $crate::CryptoType for Signature {
+			#[cfg(feature="std")]
+			type Pair = Pair;
+		}
+
+		impl $crate::AppKey for Signature {
+			type UntypedGeneric = $sig;
+			type Public = Public;
+			#[cfg(feature="std")]
+			type Pair = Pair;
+			type Signature = Signature;
+			const ID: $crate::KeyTypeId = $key_type;
+		}
+
+		impl $crate::AppSignature for Signature {
+			type Generic = $sig;
+		}
+	}
+}
+
+/// Implement bidirectional `From` and on-way `AsRef`/`AsMut` for two types, `$inner` and `$outer`.
+///
+/// ```rust
+/// substrate_application_crypto::wrap! {
+///     pub struct Wrapper(u32);
+/// }
+/// ```
+#[macro_export]
+macro_rules! wrap {
+	($( #[ $attr:meta ] )* struct $outer:ident($inner:ty);) => {
+		$( #[ $attr ] )*
+		struct $outer( $inner );
+		$crate::wrap!($inner, $outer);
+	};
+	($( #[ $attr:meta ] )* pub struct $outer:ident($inner:ty);) => {
+		$( #[ $attr ] )*
+		pub struct $outer( $inner );
+		$crate::wrap!($inner, $outer);
+	};
+	($inner:ty, $outer:ty) => {
+		impl $crate::Wraps for $outer {
+			type Inner = $inner;
+		}
+		impl From<$inner> for $outer {
+			fn from(inner: $inner) -> Self {
+				Self(inner)
+			}
+		}
+		impl From<$outer> for $inner {
+			fn from(outer: $outer) -> Self {
+				outer.0
+			}
+		}
+		impl AsRef<$inner> for $outer {
+			fn as_ref(&self) -> &$inner {
+				&self.0
+			}
+		}
+		impl AsMut<$inner> for $outer {
+			fn as_mut(&mut self) -> &mut $inner {
+				&mut self.0
+			}
+		}
+	}
+}

substrate/core/application-crypto/src/sr25519.rs

@@ -0,0 +1,75 @@
+// Copyright 2019 Parity Technologies (UK) Ltd.
+// This file is part of Substrate.
+
+// Substrate is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// Substrate is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with Substrate.  If not, see <http://www.gnu.org/licenses/>.
+
+//! Sr25519 crypto types.
+
+use crate::{RuntimePublic, KeyTypeId};
+
+pub use primitives::sr25519::*;
+
+mod app {
+	use crate::key_types::SR25519;
+	crate::app_crypto!(super, SR25519);
+}
+
+pub use app::Public as AppPublic;
+pub use app::Signature as AppSignature;
+#[cfg(feature="std")]
+pub use app::Pair as AppPair;
+
+impl RuntimePublic for Public {
+	type Signature = Signature;
+
+	fn all(key_type: KeyTypeId) -> crate::Vec<Self> {
+		rio::sr25519_public_keys(key_type)
+	}
+
+	fn generate_pair(key_type: KeyTypeId, seed: Option<&str>) -> Self {
+		rio::sr25519_generate(key_type, seed)
+	}
+
+	fn sign<M: AsRef<[u8]>>(&self, key_type: KeyTypeId, msg: &M) -> Option<Self::Signature> {
+		rio::sr25519_sign(key_type, self, msg)
+	}
+
+	fn verify<M: AsRef<[u8]>>(&self, msg: &M, signature: &Self::Signature) -> bool {
+		rio::sr25519_verify(&signature, msg.as_ref(), self)
+	}
+}
+
+#[cfg(test)]
+mod tests {
+	use sr_primitives::{generic::BlockId, traits::ProvideRuntimeApi};
+	use primitives::{testing::KeyStore, crypto::Pair, traits::BareCryptoStore as _};
+	use test_client::{
+		TestClientBuilder, DefaultTestClientBuilderExt, TestClientBuilderExt,
+		runtime::{TestAPI, app_crypto::sr25519::{AppPair, AppPublic}},
+	};
+
+	#[test]
+	fn sr25519_works_in_runtime() {
+		let keystore = KeyStore::new();
+		let test_client = TestClientBuilder::new().set_keystore(keystore.clone()).build();
+		let (signature, public) = test_client.runtime_api()
+			.test_sr25519_crypto(&BlockId::Number(0))
+			.expect("Tests `sr25519` crypto.");
+
+		let key_pair = keystore.read().sr25519_key_pair(crate::key_types::SR25519, public.as_ref())
+			.expect("There should be at a `sr25519` key in the keystore for the given public key.");
+
+		assert!(AppPair::verify(&signature, "sr25519", &AppPublic::from(key_pair.public())));
+	}
+}

substrate/core/application-crypto/src/traits.rs

@@ -0,0 +1,120 @@
+// Copyright 2019 Parity Technologies (UK) Ltd.
+// This file is part of Substrate.
+
+// Substrate is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// Substrate is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with Substrate.  If not, see <http://www.gnu.org/licenses/>.
+
+use primitives::crypto::{KeyTypeId, CryptoType, IsWrappedBy, Public};
+#[cfg(feature = "std")]
+use primitives::crypto::Pair;
+
+/// An application-specific key.
+pub trait AppKey: 'static + Send + Sync + Sized + CryptoType + Clone {
+	/// The corresponding type as a generic crypto type.
+	type UntypedGeneric: IsWrappedBy<Self>;
+
+	/// The corresponding public key type in this application scheme.
+	type Public: AppPublic;
+
+	/// The corresponding key pair type in this application scheme.
+	#[cfg(feature="std")]
+	type Pair: AppPair;
+
+	/// The corresponding signature type in this application scheme.
+	type Signature: AppSignature;
+
+	/// An identifier for this application-specific key type.
+	const ID: KeyTypeId;
+}
+
+/// Type which implements Debug and Hash in std, not when no-std (std variant).
+#[cfg(feature = "std")]
+pub trait MaybeDebugHash: std::fmt::Debug + std::hash::Hash {}
+#[cfg(feature = "std")]
+impl<T: std::fmt::Debug + std::hash::Hash> MaybeDebugHash for T {}
+
+/// Type which implements Debug and Hash in std, not when no-std (no-std variant).
+#[cfg(not(feature = "std"))]
+pub trait MaybeDebugHash {}
+#[cfg(not(feature = "std"))]
+impl<T> MaybeDebugHash for T {}
+
+/// A application's public key.
+pub trait AppPublic: AppKey + Public + Ord + PartialOrd + Eq + PartialEq + MaybeDebugHash + codec::Codec {
+	/// The wrapped type which is just a plain instance of `Public`.
+	type Generic:
+		IsWrappedBy<Self> + Public + Ord + PartialOrd + Eq + PartialEq + MaybeDebugHash + codec::Codec;
+}
+
+/// A application's key pair.
+#[cfg(feature = "std")]
+pub trait AppPair: AppKey + Pair<Public=<Self as AppKey>::Public> {
+	/// The wrapped type which is just a plain instance of `Pair`.
+	type Generic: IsWrappedBy<Self> + Pair<Public=<<Self as AppKey>::Public as AppPublic>::Generic>;
+}
+
+/// A application's signature.
+pub trait AppSignature: AppKey + Eq + PartialEq + MaybeDebugHash {
+	/// The wrapped type which is just a plain instance of `Signature`.
+	type Generic: IsWrappedBy<Self> + Eq + PartialEq + MaybeDebugHash;
+}
+
+/// A runtime interface for a public key.
+pub trait RuntimePublic: Sized {
+	/// The signature that will be generated when signing with the corresponding private key.
+	type Signature;
+
+	/// Returns all public keys for the given key type in the keystore.
+	fn all(key_type: KeyTypeId) -> crate::Vec<Self>;
+
+	/// Generate a public/private pair for the given key type and store it in the keystore.
+	///
+	/// Returns the generated public key.
+	fn generate_pair(key_type: KeyTypeId, seed: Option<&str>) -> Self;
+
+	/// Sign the given message with the corresponding private key of this public key.
+	///
+	/// The private key will be requested from the keystore using the given key type.
+	///
+	/// Returns the signature or `None` if the private key could not be found or some other error
+	/// occurred.
+	fn sign<M: AsRef<[u8]>>(&self, key_type: KeyTypeId, msg: &M) -> Option<Self::Signature>;
+
+	/// Verify that the given signature matches the given message using this public key.
+	fn verify<M: AsRef<[u8]>>(&self, msg: &M, signature: &Self::Signature) -> bool;
+}
+
+/// A runtime interface for an application's public key.
+pub trait RuntimeAppPublic: Sized {
+	/// The signature that will be generated when signing with the corresponding private key.
+	type Signature;
+
+	/// Returns all public keys for this application in the keystore.
+	fn all() -> crate::Vec<Self>;
+
+	/// Generate a public/private pair and store it in the keystore.
+	///
+	/// Returns the generated public key.
+	fn generate_pair(seed: Option<&str>) -> Self;
+
+	/// Sign the given message with the corresponding private key of this public key.
+	///
+	/// The private key will be requested from the keystore.
+	///
+	/// Returns the signature or `None` if the private key could not be found or some other error
+	/// occurred.
+	fn sign<M: AsRef<[u8]>>(&self, msg: &M) -> Option<Self::Signature>;
+
+	/// Verify that the given signature matches the given message using this public key.
+	fn verify<M: AsRef<[u8]>>(&self, msg: &M, signature: &Self::Signature) -> bool;
+}